Thursday, January 30, 2014

I've got 40 brand new copies of Inside Cyber Warfare which I'll sign and mail to the first 40 people who register to attend Suits and Spooks Security Town Hall San Francisco (S&S@RSAC). And, as an added bonus, the first 25 will receive a signed copy of the brand new third edition that's coming out later in 2014.

For those of you who have already registered, your copy is going out tomorrow.

Here's what you need to know about the event. I can promise that you won't see this collection of well-know and well-regarded authorities anywhere, and you may never get another chance to speak with them so don't miss out.

Put your passion for security and/or privacy to good use and get rewarded for it.

UPDATE (Feb 10 2014): I still have about 7 books to give away. Register today!

Wednesday, January 29, 2014

Warning: This post contains some profanity and is filled to the brim with opinion. Don't read it if you're easily offended.

If you haven't heard by now, I've contracted with the Ritz Carlton San Francisco hotel to host a 3 hour cocktail reception called the Suits and Spooks Security Town Hall on the evening of February 27th, which falls during the RSA Conference (RSAC) week. I did this on the heels of completing an exhausting two day Suits and Spooks DC event last week. Here's why.

Some people that I respect who have formerly worked in the IC kept telling me that I and others who were upset over the NSA/RSA deal didn't have all the facts; that the NSA bends over backwards to protect the rights of U.S. citizens; and so on. My response to them was that (a) no one ever has all the facts including "cleared" analysts, and that we all must deal with the facts at hand as responsible citizens, taxpayers, and voters; and (b) I have no doubt that NSA employees do their best every day to protect the rights of U.S. citizens within their legal guidelines. However, the legal guidelines need to be changed. They aren't holy writ, you aren't priests, and we aren't living in the Dark Ages where one cannot question the law.

The extreme opposite side of the debate has its share of problems as well. Some are privacy advocates who are either too naive to know that bad people mean us harm or too narcissistic to care. The fact is that if you're in that group, your opinion is held at no cost to you. If another tragedy occurs because the NSA lost critical assets due to Snowden's criminal acts, it won't be you who's held responsible. It'll be the entire Intelligence Community. No matter what you or I think about the need for intel reform, we have ZERO skin in the game. They are the ones who are working for less than competitive wages in the service of their country. They are the ones who will be held responsible when another tragedy occurs, not some Twitter warrior who's never had to make a harder decision than figuring out how to incorporate "ninja" into his social media bio.

After I recovered from three days of no sleep and little to eat during Suits and Spooks DC, I scanned the talks for B-SidesSF and TrustyCon, thinking that I'd find at least a few speakers who would address the NSA/RSA issue; especially after all the shit I heard about how the 12 of us who did boycott RSAC were just doing it for the publicity and/or basically wasting our time. Surely some of those critics would have submitted talks to BSides so that they could "work from within" to evoke change. Astoundingly, BSidesSF final agenda showed ZERO talks on the subject. The reason, according to BSidesSF when I commented about it on Twitter, was that they hadn't received any submissions! What the fuck does it take to make a cyber security engineer or researcher mad enough to do something substantive instead of just arguing on social media? You may be perfectly comfortable living and working in a digital universe, but it's not enough to tweet your outrage. You still need to get your hands dirty. You need to take a stand about something which COSTS YOU SOMETHING. Otherwise, you haven't done shit.

So, I decided to give at least 100 people of the 20,000 or more who would be at RSAC a chance to do something constructive with their feelings and opinions about how we are or aren't balancing national security concerns with the right to privacy; about how massive surveillance world-wide is unacceptable and counter-productive, or is exactly what we need to do. I decided to create a 3 hour Security Town Hall with some of the best and brightest people I could convince to come to represent both sides of the issue, and to run it using the Suits and Spooks format that encourages interaction between speakers and attendees. Yes, you can go to TrustyCon, B-SidesSF, and RSAC and hear some terrific speakers, but can you as an attendee engage with them? Probably not. Certainly not at the level that we do it at Suits and Spooks where after the first 10 minutes, the speaker can be challenged at any time.

So here's my challenge to you. If you think the NSA is doing something wrong or could be accomplishing its missions better, come to the town hall and ask a former NSA Inspector General and a former NSA General Counsel your questions. Even better, listen to what some of the most experienced and educated leaders in national security and privacy have to say to each other and on what points they challenge each other, and then ask your question or make your point. This may be the only time that you'll ever have a chance to meet and speak with Joel Brenner, Stewart Baker, Mike Janke, Nate Fick, Katherine Maher, Chris Soghoian, Carson Sweet, Geoff Hancock, Erin Simpson, Danny Yadron, and a few more outstanding individuals yet to be announced - all in one place and all willing to speak and share viewpoints and opinions with you and every other attendee who cares enough to come, listen, ask questions, have your opinions challenged, and hopefully leave with a fire lit in your belly to take action regardless of which side of the debate you support.

Finally, I want to point out that 100% of all of the registration fees (minus 2.9% credit card processing) goes to one of four charitable foundations which you select when you register. So regardless of your feelings about me personally, you can come knowing that your dollars are helping the EFF, the ACLU, the CIA Officers Memorial Foundation, or the NSA Cryptologic Museum. And that I and the event's sponsors are paying for everything else except your drinks. It's a cash bar.

Friday, January 24, 2014

As part of my ongoing efforts to sort fact from fiction regarding the RSA - NSA debacle, I learned that BlackBerry, Ltd (NASDAQ: BBRY), with its acquisition of Certicom in 2009, became the patent-holder for Dual_EC_DRBG. And since BlackBerry devices are used by so many government and military customers, I contacted the company to inquire whether they had notified their customers about the NIST warning. Before I share what happened with that inquiry, here's a short recap of the facts:

In 2003, Certicom announced that it licensed its Elliptic Curve Cryptography technology to the NSA for US$25 million.

In 2004, the NSA convinced RSA to make it the default CPRNG (Crypto Pseudo Random Number Generator) for its BSAFE software for an alleged US$10 million.

In February, 2006, RSA announced that BSAFE had conformed with Suite B cryptography requirements issued by the NSA.

In March, 2006, RSA announced that the NSA had chosen BSAFE "for use in a classified communications project".

Starting in March, 2006 and continuing into 2007, security researchers Kristian Gjøsteen, Berry Schoenmakers and Andrey Sidorenko, Dan Shumow and Niels Ferguson, and Bruce Schneier all published articles warning about weaknesses in Dual EC DRBG. The final NIST standard SP 800-90A published in June 2006 included mention of those weaknesses as unresolved.

BlackBerry Algorithm Library for Secure Work Space Version 1.0. ""The BlackBerry Algorithm Library for Secure Work Space provides a suite of cryptographic services utilized by the BlackBerry Cryptographic Library for the BlackBerry Secure Work Space (BBSWS). BBSWS provides the secure operation and management of iOS and Android devices when used in conjunction with BlackBerry® mobile device management solutions."

I passed this information to BlackBerry and within a couple of days received this response from Mike K. Brown, VP of Security Product Management & Research, BlackBerry.:

"The Dual EC DRBG algorithm is only available to third party developers via the Cryptographic APIs on the platform. In the case of the Cryptographic API, it is available if a 3rd party developer wished to use the functionality and explicitly designed and developed a system that requested the use of the API."

I then asked if BlackBerry has forwarded the NIST warning about not using Dual EC DRBG to its customers or developers and received this response:

"Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used."

does not meet BlackBerry's definition of a vulnerability, the company hasn't issued an advisory. If you are a BlackBerry customer or developer, be advised that it's apparently up to you to keep informed about possible backdoors among the encryption algorithms included with BlackBerry products.

Wednesday, January 22, 2014

For the last three Suits and Spooks events I've invited retired and former Navy SEALs to speak about which of their skills and training might transfer over to cyber security engineers. After all, they're both in the business of engaging adversaries albeit under very different conditions and rules of engagement, and I know that lots of security engineers are military veterans or have held civilian jobs with the DOD. So the panel's concept made a lot of sense to me. So far, though, it has met with mixed reactions among attendees for a few reasons:

Some attendees have trouble relating to what they're hearing for a variety of different reasons

Some are looking to apply only the tactical takedown of a target and finding a way to do something similar to a foreign hacker

Some wonder why I only have the Navy Special Warfare guys represented (see my answer to that below)

Yesterday's panel, with the addition of an active duty operational SOFer helped me understand the problem better. Here are a few of my observations about why this process of extrapolating useful ideas from one discipline to another may be problematic:

SOFers have a known target to attack. It's rarely that black and white for cyber security folks.

SOFers have very well-defined Rules of Engagement (ROE). We have an out-dated CFAA and no clear-cut policies or understanding on where to draw the line between passive defense and active defense.

SOFers are elite, highly trained individuals who have overcome obstacles that would stop 99% of the rest of us because quitting is not in their DNA. In Cyber, while we have much different obstacles albeit quite difficult ones, I see more and more engineers rationalizing why they can't do something instead of working the problem in different ways until they're successful.

SOFers understand the importance of a team, and each man's primary concern is to keep his teammate alive. Cyber security engineers may work together but I doubt that very many believe that their primary mission is to support their colleagues by keeping them motivated, enthusiastic, and always in the fight. Correct me if I'm wrong on that.

Personally, I feel quite lucky to have been able to meet former Team guys who are now doing amazing things related to cyber security like Mike Janke and Vic Hyder who co-founded Silent Circle; David Howe at Civitas Group; and "Woody" who will soon retire after 20 yrs of service and is so eager and passionate about finding a way to embark on a new career in cyber security.

I feel lucky because they and other Team guys who are personal friends like Rob DuBois and Thomas Dzieran have taught me the importance of (1) developing an iron-hard mental attitude to never quit in the face of difficulty; (2) not to accept or make excuses about why I can't achieve something; (3) the critical importance of building a team of like-minded people; and (4) the equally critical importance of not associating with those who dispute the validity of 1, 2, and 3.

And please note my use of "SOFer". While my examples all come from the Navy, that's only because those are the guys I happen to know. I haven't met anyone from Delta, SAS, or any other Special Operations Forces units. However, if you come from those units or know ones who do, please ask them if they'd be interested in participating at a future Suits and Spooks event. I'd love to include them.

Wednesday, January 15, 2014

Meet Certicom, a subsidiary of Blackberry Ltd, who provides the core technology for the National Security Agency (NSA) Suite B standard for secure government communications. Certicom holds 350 patents, many of which cover key aspects of Elliptic Curve Cryptography (ECC) including this one:

Elliptic curve random number generation

Abstract

An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

Certicom was acquired by Research In Motion (now known as Blackberry Ltd) in March 2009 but it has been in business since 1985. The patent authors are two Certicom employees Daniel Brown and Scott A. Vanstone who are also members of the ANSI X9.82 standardization committee. Matthew Green, a cryptography professor at Johns Hopkins, wrote a blog post describing Dual EC DRBG's history with Brown and Vanstone, ANSI and the NSA on December 28, 2013.

The existence of this patent does not mean that Brown and Vanstone were responsible for Dual EC. In fact, the generator appears to be an NSA invention, and may date back to the early 2000s. What this patent demonstrates is that some members of the ANSI committee, of which RSA was also a member, had reason to at least suspect that Dual EC could be used to create a wiretapping backdoor. (Update: John Kelsey confirms this.)

To date, Blackberry has not made a public announcement about its use of Dual EC DRBG but here are the Blackberry products that use it according to NIST:

"The BlackBerry Algorithm Library for Secure Work Space provides a suite of cryptographic services utilized by the BlackBerry Cryptographic Library for the BlackBerry Secure Work Space (BBSWS). BBSWS provides the secure operation and management of iOS and Android devices when used in conjunction with BlackBerry® mobile device management solutions."

"The BlackBerry Cryptographic Algorithm Library is a suite of cryptographic algorithms that provides advanced cryptographic functionality to systems running BlackBerry 10 OS and components of BlackBerry Enterprise Service 10."

I've only found a few who have made public announcements advising their customers about Dual EC use: Cisco and SafeLogic. The OpenSSL Foundation has had many discussions about Dual EC in their own forum. Please leave a comment if you know of other advisories by the remaining companies which I've missed.

Wednesday, January 8, 2014

1. Did Joseph Menn's Reuters article contain sufficient information to raise your suspicion that RSA may have collaborated with the NSA for $10M in exchange for using NSA's preferred encryption algorithm?
If no, you can stop here. If yes, move to question 2.

2. Did RSA's response address your concerns?
If yes, you can stop here. If no, move to question 3.

3. What action can you take that you believe would prompt RSA to be more forthcoming?
Then do it.

I found some illuminating and very funny quotes that depict the adversarial relationship that existed between the NSA and RSA before the controversial $10M contract deal of 2004:

"There is a group at Fort Meadewho fear that which they cannot readso they fight with their friends(God knows to what ends! )In attempts to get more than they need."-- Jim Bidzos, CEO of RSA Data Security (source: Sam Simpson Cryptography Quotes)

"If I see you in the parking lot, I'll run your ass over"- NSA Export Officer to Jim Bidzos (Head of RSA), April '94 (pg 287, Crypto by S.Levy)

"(C) Jim Bidzos, the aggressive RSA representative, was unable to attend but curmudgeon Whit Diffle presented a frail RSA position (Bidzos would have been much more implacable) and was essentially ignored by the panel."- Declassified NSA "Cryptolog" March, 1994, p.17 describing a meeting at Eurocrypt '92 held on May 24-28, 1993 in Hungary.

And then I found this recounting by Jim Bidzos of how the first RSA Security conference came about:

"Yost: You mentioned the conference. Can you talk a bit about the origin of the RSA DataSecurity Conference, about both the founding and the early years of it?"Bidzos: Yes, actually it originated—you know there’s another example where there’s justone moment, one phone call where this happened—right about the time that theElectronic Frontier Foundation was being born around 1991. And actually it was also thetime that something called CPSR, Computer Professionals for Social Responsibility, wasbecoming EPIC, the Electronic Privacy Information Center. The director of which is aguy named Marc Rotenberg."This was a time when the government made an announcement. I don’t think it was the Clipper chip at the time, I think it was something called the DSA. Anyway they were starting to try to set or dictate [encryption] standards for the business community. They had made some announcement and Marc called me upand said, “They’ve just announced this. Have you seen this?”"And I said, “Yes.” And he said, “What are we going to do about this?” And I said, “I don’t know. It sounds to me like the best thing we can do is educate people, so maybe what we ought to do is host aconference and educate people about this. I’ve got access to a lot of people who can talk about it.”"It was his phone call, basically pleading, “What are we going to do? What are you going to do?” He was really bothered by DSA, seemed up in arms and didn’t know what to do. All that nervous energy that I felt somehow made me feel obligated to do something. So that’s when I came up with this idea to have this conference. So I got Rivest and a few other people, I think Marty Hellman was there, Taher El Gamal andsome other people to say this is a bad idea and here’s why. And so we let people come for free, I think we got sixty people. It just seemed like a good thing to do again the following year."

Monday, January 6, 2014

"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."

"We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.'s interests that it's driving them into a frenzy."

- James Bidzos (President, RSA Data Security in an interview with Steven Levy of the New York Times, June 1994)

Compare the above remarks by former RSA President James Bidzos in 1994 with RSA's formal statement about its relationship with the NSA (December 2013):

We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.

What happened to a company that in the 90's knew exactly where it stood vis a vis the NSA and this latest NSA-friendly incarnation? According to Reuters, it was a change in business direction away from pure cryptology in favor of joining the government for the war on hackers.

"When I joined there were 10 people in the labs, and we were fighting the NSA," said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. "It became a very different company later on." By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers."

Steven Levy's article "Battle of the Clipper Chip" which is where I found the top quote from James Bidzos is a must-read because although it was written 19 1/2 years ago, it provides keen insight into the issues that frame today's crisis of trust with RSA. Back then, the NSA and the Clinton Administration thought that a Key Escrow plan like Clipper Chip was the way to go. When the market place rejected using Clipper, the NSA eventually switched tactics to develop and promote its own encryption algorithm; first to RSA with a $10 million sweetener and then to NIST with the incentive that RSA had already adopted it. Today we all know that the NSA succeeded. What isn't known is why RSA agreed to it.

RSA's public statement on the issue is both misleading and lacking details which pertain to the facts uncovered by Joseph Menn for Reuters. Here are the four key points made in their statement and the problems with each:

“We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”

This fails to disclose the terms of RSA's agreement with the NSA to use Dual EC DRBG. It also paints RSA as naive as to the NSA's motives which is ludicrous once you know what happened 10 years earlier with Clipper Chip.

“This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.”

With this statement RSA is trying to pass off the responsibility for using a back-doored Random Number Generator to the user!

“We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.”

It became a NIST standard because RSA took the NSA's money in the first place. Concerns about the algorithm were raised in 2006 and were included in NIST SP 800-90A as being unresolved. By 2007, RSA should have been sufficiently alarmed to investigate on its own. To say that they relied upon NIST as the arbiter is merely an attempt to shift responsibility away from itself as the producer and onto NIST.

“When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”

So once the New York Times' article was published and NIST took steps, then RSA did the right thing? And they expect credit for that?

RSA cannot escape responsibility for offering a compromised BSAFE product for the last 9 years by saying "we just followed NIST" and "our customers had a choice". This is a gross violation of its own mission statement not to mention its own illustrious history of defending the integrity of encryption against government attempts to weaken it.

I announced last Friday that I joined Mikko Hyponnen and Josh Thomas in pulling my talk from RSAC, but there needs to be an industry-wide boycott of RSA products. It's not enough to just talk about how bad this is. RSA's parent EMC, like every other corporation, has a Board of Directors that is answerable to its shareholders for maximizing revenue. If RSA's customers begin canceling their contracts and/or refuse to buy RSA products, the company's earnings will drop and that's the type of message that forces Boards to make changes.

Friday, January 3, 2014

Granted, I'm no Mikko Hyponnen and my talk was a mere 20 minutes on the last day of the RSA conference, but I think it's vitally important that those of us who profoundly object to RSA's $10 million secret contract with the NSA do more than just tweet our outrage. We need to take action.

RSA has issued the weakest of denials possible on Dec 22nd and hasn't made any attempt to clarify its position since. The company's denial failed to address most of the troubling points raised in Joe Menn's article for Reuters. This on top of RSA's horrible handling of its 2011 SecureID breach has shattered any remaining trust in the company as far as I'm concerned.

Obviously, I hope that RSA and EMC's leadership will eventually rise to the occasion and be fully transparent about what happened and why. However unless and until RSA fully addresses this apparent breach of trust, I won't be speaking at any RSA events nor will I accept RSA as a sponsor at any future Suits and Spooks events.

UPDATE (Jan 3, 2014): I just learned that Josh Thomas of Atredis also pulled his talk from RSA back on December 26th. That makes three of us as of today.

UPDATE (Jan 7, 2014): Christopher Soghoian announced that he has canceled his RSA talk and Adam Langley announced that he's withdrawing from his panel.

Thursday, January 2, 2014

According to Der Spiegel, the NSA has been developing tools to compromise software, hardware, and firmware made by multinational corporations in the U.S. and overseas. U.S. companies affected include Juniper Networks, Cisco, Dell, Western Digital, Seagate, Maxtor plus many others. Unless the company has offered to work with the NSA to create backdoors in their own products, you have a situation where the agency with the primary responsibility of defending U.S. Department of Defense networks from digital attack is also engaged in weakening the very technology used by the DOD on those networks such as Jupiter Network firewalls, Cisco routers, Seagate hard drives, etc.

Perhaps this wouldn't be a problem if foreign intelligence services (FIS) didn't also have the technical capability of finding those same vulnerabilities or others. For example, Xidian University in Xi'an, Shaanxi, China is one of China's top engineering universities. It's State Key Laboratory of Integrated Services Networks conducts research for military-specific and dual use systems including cryptography, offensive network attacks, and systems to be used in confrontational environments.

Here's another example taken from our data base on adversary R&D research. The Chinese Academy of Sciences' State Key Lab of Information Security reports directly to the Ministry of Public Security, among other government agencies. In addition to their primary research area of information security, they develop network attack systems.

Russia has similar educational institutions which focus on information security and electronic warfare for the Ministry of Defense, the FSB, and other relevant agencies. One example is the Voronezh Military Radio-electronics Insititute which is part of the Voronezh Aviation Engineering School. Part of their information warfare research includes breaking the security of automated systems.

Since Dell, Cisco, Juniper, etc. build hardware, firmware, and software that's broadly used around the world and especially on U.S. government networks, it's only logical to conclude that those companies' products are being examined for exploitable vulnerabilities by Russian and Chinese scientists who are at least equal if not superior to those employed by the NSA. Let's remember that unlike the NSA, scientists at Russian and Chinese foreign research laboratories don't have to compete with their respective versions of a Silicon Valley for high paying tech jobs. They can attract and keep their nation's brightest scientists focused on these high priority government military and civilian projects.

Bottom line - if the NSA has found or developed backdoors in critical U.S. technology, so have our adversaries, and by "adversaries", I don't mean Mandiant's version of the bored PLA hacker with sloppy OPSEC. We need as an industry to have more respect for our opponents. And there needs to be a serious discussion about whether the NSA can really defend U.S. military networks while also engaged in exploiting weaknesses in the very technology that those networks rely upon.

UPDATE (JAN 02 2014): Bruce Schneier has begun posting one NSA exploit per day at his blog. The first one called DEITYBOUNCE exploits the motherboard on Dell PowerEdge servers.